Project

General

Profile

« Previous | Next » 

Revision 5158

Added by daigle about 15 years ago

Separate code to do tls and non-tls authentication. Introduce AuthTLSException to make error handling easier.

View differences:

src/edu/ucsb/nceas/metacat/AuthLdap.java
77 77
	private int ldapSearchTimeLimit;
78 78
	private int ldapSearchCountLimit;
79 79
	private String currentReferralInfo;
80
	Hashtable env = new Hashtable(11);
80
	Hashtable<String, String> env = new Hashtable<String, String>(11);
81 81
	private Context rContext;
82 82
	private String userName;
83 83
	private String userPassword;
......
272 272
		logMetacat.warn("AuthLdap.ldapAuthenticate - Trying to authenticate: " + 
273 273
				userDN + " Using server: " + server);
274 274

  
275
		LdapContext ctx = null;
276
		double startTime;
277
		double stopTime;
278 275
		try {
279
			Hashtable env = new Hashtable();
276
			Hashtable<String, String> env = new Hashtable<String, String>();
280 277
			env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
281 278
			env.put(Context.PROVIDER_URL, server);
282 279
			env.put(Context.REFERRAL, "throw");
280
			
283 281
			try {
282
				authenticated = authenticateTLS(env, userDN, password);
283
			} catch (AuthTLSException ate) {
284
				logMetacat.info("AuthLdap.ldapAuthenticate - error while negotiating TLS: "
285
						+ ate.getMessage());
284 286

  
285
				startTime = System.currentTimeMillis();
286
				ctx = new InitialLdapContext(env, null);
287
				// Start up TLS here so that we don't pass our jewels in
288
				// cleartext
289
				StartTlsResponse tls = (StartTlsResponse) ctx
290
						.extendedOperation(new StartTlsRequest());
291
				// tls.setHostnameVerifier(new SampleVerifier());
292
				SSLSession sess = tls.negotiate();
293
				ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
294
				ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN);
295
				ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
296
				ctx.reconnect(null);
297
				stopTime = System.currentTimeMillis();
298
				logMetacat.info("AuthLdap.ldapAuthenticate - Connection time thru " + ldapsUrl + " was: "
299
						+ (stopTime - startTime) / 1000 + " seconds.");
300
				authenticated = true;
301
			} catch (IOException ioe) {
302
				logMetacat.info("AuthLdap.ldapAuthenticate - Caught IOException in login while negotiating TLS: "
303
						+ ioe.getMessage());
304

  
305 287
				if (secureConnectionOnly) {
306 288
					return authenticated;
307 289

  
308 290
				} else {
309
					logMetacat.info("AuthLdap.ldapAuthenticate - Trying to authenticate without TLS");
310
					env.put(Context.SECURITY_AUTHENTICATION, "simple");
311
					env.put(Context.SECURITY_PRINCIPAL, userDN);
312
					env.put(Context.SECURITY_CREDENTIALS, password);
313

  
314
					startTime = System.currentTimeMillis();
315
					ctx = new InitialLdapContext(env, null);
316
					stopTime = System.currentTimeMillis();
317
					logMetacat.info("AuthLdap.ldapAuthenticate - Connection time thru " + ldapsUrl + " was: "
318
							+ (stopTime - startTime) / 1000 + " seconds.");
319
					authenticated = true;
291
					authenticated = authenticateNonTLS(env, userDN, password);
320 292
				}
321 293
			}
322 294
		} catch (AuthenticationException ae) {
......
331 303

  
332 304
		return authenticated;
333 305
	}
306
	
307
	private boolean authenticateTLS(Hashtable<String, String> env, String userDN, String password)
308
			throws AuthTLSException{	
309
		logMetacat.info("AuthLdap.authenticateTLS - Trying to authenticate with TLS");
310
		try {
311
			LdapContext ctx = null;
312
			double startTime;
313
			double stopTime;
314
			startTime = System.currentTimeMillis();
315
			ctx = new InitialLdapContext(env, null);
316
			// Start up TLS here so that we don't pass our jewels in
317
			// cleartext
318
			StartTlsResponse tls = 
319
				(StartTlsResponse) ctx.extendedOperation(new StartTlsRequest());
320
			// tls.setHostnameVerifier(new SampleVerifier());
321
			SSLSession sess = tls.negotiate();
322
			ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
323
			ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDN);
324
			ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
325
			ctx.reconnect(null);
326
			stopTime = System.currentTimeMillis();
327
			logMetacat.info("AuthLdap.authenticateTLS - Connection time thru "
328
					+ ldapsUrl + " was: " + (stopTime - startTime) / 1000 + " seconds.");
329
		} catch (NamingException ne) {
330
			throw new AuthTLSException("AuthLdap.authenticateTLS - Naming error when athenticating via TLS: " + ne.getMessage());
331
		} catch (IOException ioe) {
332
			throw new AuthTLSException("AuthLdap.authenticateTLS - I/O error when athenticating via TLS: " + ioe.getMessage());
333
		}
334
		return true;
335
	}
336
	
337
	private boolean authenticateNonTLS(Hashtable<String, String> env, String userDN, String password) 
338
			throws NamingException {
339
		LdapContext ctx = null;
340
		double startTime;
341
		double stopTime;
342
		
343
		logMetacat.info("AuthLdap.authenticateNonTLS - Trying to authenticate without TLS");
344
		env.put(Context.SECURITY_AUTHENTICATION, "simple");
345
		env.put(Context.SECURITY_PRINCIPAL, userDN);
346
		env.put(Context.SECURITY_CREDENTIALS, password);
334 347

  
348
		startTime = System.currentTimeMillis();
349
		ctx = new InitialLdapContext(env, null);
350
		stopTime = System.currentTimeMillis();
351
		logMetacat.info("AuthLdap.authenticateNonTLS - Connection time thru " + ldapsUrl + " was: "
352
				+ (stopTime - startTime) / 1000 + " seconds.");
353

  
354
		return true;
355
	}
356

  
335 357
	/**
336 358
	 * Get the identifying name for a given userid or name. This is the name
337 359
	 * that is used in conjunction withthe LDAP BaseDN to create a distinguished
src/edu/ucsb/nceas/metacat/AuthTLSException.java
1
/**
2
 *  '$RCSfile$'
3
 *    Purpose: An Exception thrown when an error occurs because an 
4
 *             AccessionNumber was invalid or used incorrectly
5
 *  Copyright: 2008 Regents of the University of California and the
6
 *             National Center for Ecological Analysis and Synthesis
7
 *    Authors: Michael Daigle
8
 *
9
 *   '$Author: daigle $'
10
 *     '$Date: 2008-07-06 21:25:34 -0700 (Sun, 06 Jul 2008) $'
11
 * '$Revision: 4080 $'
12
 *
13
 * This program is free software; you can redistribute it and/or modify
14
 * it under the terms of the GNU General Public License as published by
15
 * the Free Software Foundation; either version 2 of the License, or
16
 * (at your option) any later version.
17
 *
18
 * This program is distributed in the hope that it will be useful,
19
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
21
 * GNU General Public License for more details.
22
 *
23
 * You should have received a copy of the GNU General Public License
24
 * along with this program; if not, write to the Free Software
25
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
26
 */
27

  
28
package edu.ucsb.nceas.metacat;
29

  
30
/**
31
 * Exception thrown when an error occurs in a configuration administrative
32
 * class
33
 */
34
public class AuthTLSException extends Exception {
35
	
36

  
37
	/**
38
	 * 
39
	 */
40
	private static final long serialVersionUID = 525418630212063646L;
41

  
42
	/**
43
	 * Create a new AuthTLSException.
44
	 *
45
	 * @param message The error or warning message.
46
	 */
47
	public AuthTLSException(String message) {
48
		super(message);
49
	}
50
}
0 51

  

Also available in: Unified diff